The White House Office of the National Cyber Director (ONCD) is referring to technology leaders to work together to reduce the software attack surface by adopting memory-safe programming languages.
Memory security flaws are one of the most widespread security problems of the past few decades, according to a report announced the office. These errors affect how memory can be accessed, written, allocated, or freed. Popular examples of memory security bugs include the Morris Worm, Slammer Worm, Heartbleed, and BLASTPASS.
According to ONCD, the best way to combat memory security vulnerabilities is to secure the programming languages used. Memory-safe programming languages — such as Rust, Go, C#, Java, Swift, Python, and JavaScript — can eliminate most of these vulnerabilities.
RELATED CONTENT: What the National Cyber Security Strategy Means for Software Providers
“Since many cybersecurity issues start with a line of code, one of the most effective ways to address these issues is to examine the programming language itself. Ensuring that a programming language includes certain properties, such as memory or type safety, means that software built on those foundations automatically inherits the safety those features provide,” the report said.
ONCD is also asking technology vendors to explore memory-safe hardware and believes there are several promising developments in this area. For example, a new memory marking extension was developed that cross-validates memory pointers before using them. Another example is Capability Hardware Enhanced RISC Instructions (CHERI), which changes the way software accesses memory.
In addition to recommending memory-safe software and hardware, another element of the report calls for the development of better ways to measure software security. ONCD believes that better measurement capabilities will allow technology vendors to predict and mitigate vulnerabilities before they go into production.
“Better cybersecurity quality metrics change the equation because they will enable data-driven decision making throughout the supply chain. While technical executives, such as CTOs, CIOs, and CISOs, play a critical role in implementing this vision, cybersecurity quality must also be viewed as a business imperative that is ultimately the responsibility of the CEO and board of directors. Solving the software measurability problem would fully realize the utility of this metric, closing a vital information gap and driving long-term investment in software security. This would enable all ecosystem stakeholders to see their return on investment or clearly understand the risk of lower quality products,” the report said.
This is just another step in the White House’s efforts to improve cybersecurity. In March 2023, President Biden signed executive order related to cyber security, and has since created the National Cyber Security Strategy Implementation Plan and the National Cyber Workforce and Education Strategy.